Sendient Privacy Notice (US)

Effective: 3 October 2025

  1. Scope

This Privacy Notice explains how Sendient.ai (“Sendient”, “we”, “our”) collects, uses, and protects personal information in the United States. It applies to our products and services, including SmartEducator, SmartDetector, SmartAssessor, and internal HR/employee systems.

This notice is designed to meet requirements under:

  • Federal education and child protection laws (FERPA, COPPA, SOPPA, PPRA, CIPA).
  • State consumer privacy laws (including CCPA/CPRA – California, VCDPA – Virginia, CPA – Colorado, CTDPA – Connecticut, UTDPA – Utah).
  1. About Us

Sendient provides AI-driven assessment and compliance products. We are headquartered in the UK, with US operations.

Controller vs Processor roles:

  • Controller: Employee data
  • Processor: SmartEducator (on behalf of schools/educators), SmartDetector (user-submitted text), Sendient HR/employee data, SmartAssessor (on behalf of corporate clients).
  1. What Data We Collect

Depending on the service, we may collect or process:

  • Students/education users (via schools): names, identifiers, submissions, grades, feedback, metadata.
  • SmartDetector users: uploaded text (which may include incidental identifiers).
  • Corporate users (SmartAssessor): employee/engineer form inputs, compliance data, audit logs.
  • Employees (HR): contact, payroll, welfare, performance.
  • Marketing and support: contact details, preferences, IP address, usage data.
  • Recruitment: CVs, education/employment history, right-to-work info.
  1. How We Use Data

We use personal information for:

  • Providing marking and feedback (SmartEducator).
  • Identifying AI-generated content (SmartDetector).
  • Compliance checks and certification (SmartAssessor).
  • HR/payroll and employee welfare (internal).
  • Research, innovation, and service improvement.
  • Marketing (with opt-out).
  1. Legal Bases and Authority
  • Schools/education: FERPA and SOPPA govern school-provided student data. Sendient acts as a Processor, under contract with the school (Controller).
  • Children under 13: COPPA requires parental consent for data collection; we process only via schools acting “in loco parentis”.
  • Consumer privacy: For direct users (e.g. SmartDetector), we rely on contractual necessity and legitimate business interests, consistent with state privacy laws.
  • Employment: For employees, we process under employment contracts and applicable employment law.

We do not “sell” personal information. We do not share data for targeted advertising.

  1. Sharing Data

We may share with:

  • Service providers (e.g. Microsoft Azure US for hosting, Stripe for payments, Kinde for authentication).
  • Schools/employers (if you are using their services).
  • Regulators, auditors, or law enforcement, if legally required.

All providers are bound by contracts and data protection agreements.

  1. Children’s Privacy
  • COPPA: For children under 13, any data is collected only through schools with parental consent mechanisms. We do not knowingly allow children under 13 to create accounts directly.
  • FERPA: Schools remain responsible for educational records. Sendient acts as a Processor.
  • SOPPA (Illinois): Contracts with districts cover security, data breach notification, and deletion requests.
  1. Your Rights

Depending on your state, you may have the following rights:

  • Access: to request a copy of the data we hold.
  • Correction: to update inaccurate data.
  • Deletion: to request deletion of data.
  • Data portability: to request transfer of your data.
  • Opt-out: of the sale or sharing of personal data (we do not sell, but provide this right where required).
  • Limit use of sensitive data (California).
  • Appeal rights (Virginia, Colorado).

Requests can be made via datacontroller@sendient.ai. We will verify your identity before responding. Parents can exercise these rights on behalf of their children.

  1. Data Retention
  • Student/assessment data: retained for contract duration + up to 2 years, unless earlier deletion requested.
  • HR/payroll: retained as required by employment/tax law (generally 6 years).
  • Recruitment: up to 12 months post-process.
  • Marketing: until you opt out.
  1. Security

We use encryption, access controls, secure hosting (Azure US/region-locked), audit logging, and monitoring to protect personal data.

  1. International Transfers

If US data is accessed or transferred to the UK/EU, we use standard contractual clauses or equivalent safeguards to ensure protection.

  1. Changes to This Policy

We may update this notice to reflect changes in law or practice. Updated versions will be published on our website.

  1. Contact Us
  • Email: datacontroller@sendient.ai
  • Post: Sendient, Stoneythorpe Hall, Southam, Warwickshire, CV47 2DL, UK
  • US users may also raise concerns with their state Attorney General or Department of Education, depending on applicable law.

 

Last updated: 3 October 2025

 

 

 

Appendix: Your State Privacy Rights

If you live in one of the following states, you may have additional privacy rights under state law. These rights apply alongside the rights already explained in our main Privacy Notice.

California (CCPA/CPRA)

  • Right to know what personal information we collect, use, and disclose.
  • Right to access and request a copy of your personal information.
  • Right to correct inaccurate personal information.
  • Right to request deletion of personal information, subject to exceptions.
  • Right to opt out of the sale or sharing of personal information (we do not sell your data).
  • Right to limit use of sensitive personal information.
  • Right not to be discriminated against for exercising your rights.

Virginia (VCDPA)

  • Rights to access, correction, deletion, and portability.
  • Right to opt out of targeted advertising, sale of data, or profiling in certain contexts.
  • Right to appeal if a request is denied.

Colorado (CPA)

  • Rights to access, correction, deletion, portability, and opt-out (targeted ads, sale, profiling).
  • Right to appeal decisions.
  • We conduct data protection assessments as required for high-risk uses.

Connecticut (CTDPA)

  • Rights to access, correction, deletion, portability, and opt-out.
  • Consent required for processing sensitive personal data.

Utah (UTDPA)

  • Rights to access, copy, delete (user-provided data), portability, and opt-out (sale, targeted ads).
  • Does not provide correction or appeal rights.

New York (Education Law §2-d)

For K-12 student data:

  • Right to transparency about how data is collected, used, and shared.
  • Right to data security safeguards aligned with state standards.
  • Right to be notified of breaches.
  • Parents may inspect and request correction of their child’s education records.
  • Vendors (including Sendient) must sign state-compliant contracts with districts.

Illinois (SOPPA – 105 ILCS 85)

For K-12 student data:

  • Right to transparency about what data is collected and shared.
  • Parents may request to review and correct their child’s information.
  • Schools and vendors must maintain reasonable security practices.
  • Vendors must publicly post data agreements with districts.
  • Breach notification is required within 30 days.

Florida (Student Online Personal Information Protection Act – F.S. §1006.1494)

For K-12 student data:

  • Restrictions on targeted advertising, profiling, or selling student data.
  • Operators must use security measures to protect student information.
  • Parents may request deletion of student personal data when no longer needed.

Texas (Education Code §32.151 et seq.)

For K-12 student data:

  • Operators may not sell or misuse student information.
  • Restrictions on targeted advertising and profiling.
  • Parents and schools can request deletion of student data when contracts end.
  • Operators must implement security safeguards and comply with district contracts.

How to Exercise Your Rights

  • Contact us at datacontroller@sendient.ai.
  • We will verify your identity before fulfilling your request.
  • Parents may exercise these rights on behalf of their children.
  • If we deny your request, you may have the right to appeal (depending on your state law).

 

 

State Scope Key Rights for Individuals (Students/Consumers/Parents) Vendor / Operator Obligations Notes
California (CCPA/CPRA) Consumers (incl. minors) Access, copy, correction, deletion, portability, opt-out of sale/sharing, limit sensitive data use, no discrimination Privacy notice, respond to rights requests, honor opt-out, protect sensitive data Applies broadly, including edtech when dealing direct-to-consumer
Virginia (VCDPA) Consumers Access, correction, deletion, portability, opt-out (ads/sale/profiling), appeal rights Data protection assessments for high-risk uses Similar to Colorado/Connecticut
Colorado (CPA) Consumers Access, correction, deletion, portability, opt-out (ads/sale/profiling), appeal rights Conduct DPIAs, security safeguards
Connecticut (CTDPA) Consumers Access, correction, deletion, portability, opt-out; consent for sensitive data Data minimisation, security safeguards Very similar to VA/CO
Utah (UTDPA) Consumers Access, copy, delete (user-provided data), portability, opt-out (sale/ads) Basic security safeguards Narrower than others (no correction/appeal)
New York (Ed Law 2-d) K-12 student data Parents: access, correction, transparency, breach notification Vendors must sign compliant contracts, ensure security Applies only to education records
Illinois (SOPPA) K-12 student data Parents: access, correction; transparency; breach notice (30 days) Vendors must post contracts, safeguard data Schools/districts drive compliance
Florida (F.S. 1006.1494) K-12 student data Parents: deletion requests; protections from profiling/ads Operators: no targeted ads, no selling, safeguard data Student-focused protections
Texas (Ed Code 32.151 et seq.) K-12 student data Parents/schools: deletion requests Operators: no sale, no profiling, safeguard data Vendor contracts required

 

Scroll to Top